maxkabakov - Fotolia
Microsoft Windows Defender Device Guard offers a variety of capabilities, but IT professionals must enable Device Guard properly.
First, IT pros must ensure that the underlying hardware meets the minimum requirements for Device Guard. This includes a 64-bit processor with virtualization extensions, such as Intel VT-x, AMD-V and extended page tables; Trusted Platform Module 2.0; Unified Extensible Firmware Interface (UEFI) 2.3.1.c or later with Secure Boot enabled; and Hypervisor Enforced Code Integrity compatible Windows drivers.
In addition, IT must handle firmware updates through Windows Update, and the system must support Hardware Security Test Interface standards.
Enabling Windows Defender Device Guard
To enable Windows Defender Exploit Guard and Application Control features, IT can use desktop management tools including Group Policy, Microsoft System Center Configuration Manager, Windows PowerShell and Microsoft Intune.
The Windows Defender Device Guard features are virtualization-based, so IT must enable Hyper-V before they deploy anything from Device Guard. For example, endpoints running Windows 10 Enterprise or Education editions can enable Hyper-V through the Windows Features dialog by typing "Turn Windows features on or off" in the Search dialog on the Taskbar.
After IT enables Hyper-V, it can open the Local Group Policy Editor -- gpedit.msc. Desktop administrators can launch the editor directly by typing "gpedit.msc" in the Run bar, or through Windows Search by typing "gpedit.msc" in the Search bar and selecting the corresponding applet from the results. If the file is not found, IT may need to install the Local Group Policy Editor.
Once the Local Group Policy Editor starts, desktop admins should navigate to the "Computer Configuration\Administrative Templates\System\Device Guard" key and locate the "Turn On Virtualization Based Security" policy entry. IT pros should double-click the entry, enable the desired feature and select options such as Secure Boot and UEFI lock. After configuring the features, IT pros should close the Local Group Policy Editor and restart the computer.
If administrators would prefer to use Windows PowerShell to manage Windows Defender Device Guard features, Microsoft provides a Device Guard and Credential Guard hardware readiness tool which runs a PowerShell script to check hardware and enable Device Guard.
Dig Deeper on Windows 10 security and management
Related Q&A from Stephen J. Bigelow
Microsoft Hyper-V on Windows comes with advanced protection schemes, including several virtualization-based security features the company introduced ... Continue Reading
The BitLocker encryption technology continues to evolve from its roots as a Windows Vista feature to protect resources both in the local data center ... Continue Reading
Some enterprises avoid the public cloud due to its multi-tenant nature and data security concerns. Learn what data separation is and how it can keep ... Continue Reading